The shunt: an FPGA-based accelerator for network intrusion prevention
Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Enhancing network intrusion detection with integrated sampling and filtering
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
Network Intrusion Prevention Systems (NIPS) are a key element in defending networks against all kinds of malware (worms, virus, etc.). This investigation addresses some functionality and performance issues related to running such systems in very high-speed networks (1 Gbps or faster). The traditional approach to carry out sound intrusion prevention is the use of software-based approaches, as only they provide the flexibility and dynamic functionality that is required to detect rapidly-evolving malware. The main obstacle for the deployment of software-based NIPS in high-volume environments is performance, in terms of the amount of traffic the NIPS is able to process. NIPS present a double challenge to system performance, namely processing load and internal state storage management. We argue that any approach that intends to run NIPS in high-speed links must rely on efficient filtering, i.e., allow the NIPS to decide which traffic it is interested in analyzing and which it is not, in an efficient fashion. The first contribution of this thesis work is the development of filtering techniques crucial for the operation of network intrusion detection and prevention in high-volume environments. In the first part of the dissertation we discuss new filtering models. We introduce innovative ways to take advantage of traffic filtered using traditional packet filter capabilities, and new mechanisms to extend packet filter capabilities with new fine-grained abstractions. In the second part of this dissertation, we go a step further with one of the new abstractions discussed earlier, and discuss a packet processing architecture based on implementing the abstraction in a hardware device. The key insight of the approach is that some packet processing tools, including NIPS, can benefit enormously from the addition of a reduced set of very simple operations oriented to performing fast classification of traffic. These operations are simple enough as to permit an extremely fast hardware implementation. We illustrate the performance of the architecture by describing a prototype, and our experience with its usage.